KNOX: Samsung's big push to win the enterprise from BlackBerry and iOS

KNOX icons on a Samsung phone demoed at Mobile World Congress. Credit:Ron Miller

Samsung dominated the news from the Mobile World Congress this week with the announcement of its KNOX platform. KNOX will ship in the second quarter of this year and is designed to set the bar for enterprise-grade mobile technology. To put it simply, KNOX is Samsung's attempt to out-BlackBerry the BlackBerry 10 along with Apple's iOS and become the dominant enterprise mobility platform.

What exactly is KNOX and how does it relate to Samsung's SAFE program?

Samsung introduced its SAFE program more than a year ago. The program is designed to offer enterprise IT groups the same kind of granular management features found in the classic BlackBerry devices and the BlackBerry Enterprise Server. Although only the recent Galaxy S III and Galaxy Note II ship with SAFE branding on the device, the program also incorporates some earlier Samsung products. In recent months, Samsung has waged an ad campaign to inform potential customers about the security features available in its SAFE-certified devices compared to other Android phones and tablets.

As I noted recently, the campaign positioned Samsung as a serious competitor to Apple in the enterprise market. Given that Apple almost never advertises (or even acknowledges) the enterprise chops of its platforms, I argued that the campaign could put Apple's enterprise leading position in jeopardy.

Although Samsung describes KNOX as "aligned" with SAFE, the company is making it pretty clear that KNOX and SAFE are two different entities. While SAFE is designed to offer 300+ security policies, the program is not as deeply integrated into devices or the Android OS as KNOX. In other words SAFE can be thought of as a subset of the capabilities built into KNOX.

To ensure an extreme level of device and data security, KNOX incorporates a special version of Android called SE Android that was developed by the U.S. National Security Agency (NSA). KNOX also incorporates integrity management services that ensure a device hasn't been tampered with or compromised. These are built into a device's hardware as well as implemented within the Android OS that runs on that hardware. All of this enables a level of security on Android higher than anything that has been released to the mass market to date.

That security combined with file level encryption allows KNOX to separate personal apps and content from business apps and data. The KNOX technology creating and enforcing that separation prevents files, content, or other data from being moved or copied from on container to the other. It also ensures that personal apps and malware cannot interact with business content. That security can work both ways and it ensures the privacy of personal data on a device that is managed by IT.

The KNOX container

Users can access the secure KNOX container via an icon on a device's home screen. Through IT management, access to the container can be restricted using enterprise credentials like an Active Directory user account. IT can also determine how long a user can access the KNOX container before being required to re-authenticate -- most likely after a period of inactivity.

Credit: Ron Miller
Small lock icons indicate apps that work within the KNOX container.

The container can contain a range of apps populated by IT using mobile app management (MAM) tools. These can include enterprise apps developed in-house as well as third party apps. There is also the potential for enterprise app store support as well. Because KNOX is fully compatible with the Android ecosystem, commercial apps can be included in the container without requiring any modifications.

Apps that provide access to enterprise resources can take advantage of the mobile authentication services to deliver single sign-on and secure zero-sign-on authentication, allowing users to access those enterprise resources without needing to repeatedly enter credentials for each. This is made possible by the OEM agreement between Samsung and Centrify. Centrify already has a portfolio of business app and service vendors that support these features as well as a developer program that allows app makers and enterprise developers to integrate them.

Beyond the container

KNOX supports the 300+ security and management policies introduced with the SAFE program. IT also ships with additional security APIs provides leave IT administrators with a toolkit of over 700 device management APIs that can be used to lock down and configure KNOX devices. That goes even beyond the number of policies that legacy BlackBerry systems offer (by about 200 or so).

As with SAFE, those policies can be managed using various third-party mobile management systems. As of this writing, several vendors have announced support for KNOX management and security features. 

Beyond those security and management policies, KNOX also supports integration with various key enterprise systems including MAM tools, Active Directory authentication, Exchange ActiveSync, multi-factor authentication systems, and various VPN technologies. 

Can KNOX dominate the enterprise?

All of these features and functionality are a remarkable leap over what's available today. Samsung is right to refer to KNOX as a platform. Although it Android-based and fully integrates with the Android ecosystem, KNOX is essentially its own platform. That's impressive but it may end up being problematic as well.

If part of KNOX functions in hardware, Samsung will need to build devices specifically designed to include KNOX and those devices may only represent a portion of Samsung's product lines. Samsung seems to be confirming that fact along with the assumption that current devices won't be able to support KNOX (at least not in its entirety) in the last line of its announcement.

KNOX will be commercially available in selected Samsung GALAXY devices from Q2 2013 onwards.

That means that while Samsung is closing many enterprise holes in Android by developing KNOX, it may not be able to close one big one: the overarching fragmentation of the platform. You could even argue Samsung that by creating KNOX as a new class of Android devices Samsung is actually increasing Android's overall fragmentation.

Apple's iOS provides an interesting counterpoint to Android fragmentation and even to KNOX as an enterprise option. Whatever else you can say about iOS as a mobile platform, it is consistent. The same base of enterprise security and management features extends to every current iPhone and iPad (and iPod touch) as well as to somewhat older devices like the iPhone 3GS.

That consistency doesn't exist for Android. Even though Samsung is the world's biggest Android manufacturer, it is far from the only one. Look at any coverage from Mobile World Congress this week and you'll see plenty of announcements from other Android device makers.

For Samsung to make a solid impact with KNOX, it needs to get as many KNOX devices as possible out and into into the market. That means every possible segment of the smartphone market -- consumer, business, education, healthcare, government, and any place else -- not just the clearly defined "business and enterprise market."

Again Apple provides an example of what Samsung must strive to achieve. Every iOS device that Apple ships, regardless of whether it is bought by a business user, doctor, lawyer, high school student, stay-at-home mom, government employee, or anyone else includes Apple's mobile management capabilities. Each one can be brought into the workplace and secured and managed in the same ways. That's one factor that has helped the iPhone and iPad establish themselves as a major player in business. If Samsung wants KNOX to dominate that the business and enterprise market, it needs to follow that playbook.

Putting it a different way: For KNOX, dominance of the mobile enterprise space requires ubiquity.

KNOX and heterogeneous BYOD

BYOD is not an all-or-nothing proposition. Many organizations are developing tiered BYOD policies that grant different levels of access to corporate resources based on the security capabilities of a user's device -- including the device itself, the platform, and version of the mobile OS running on it. These models grant broad access to corporate data and enterprise to highly secured devices. Devices running older OS revisions that cannot be as fully secured are often limited to Wi-Fi and Exchange services.

This delivers a great opportunity for KNOX in the enterprise BYOD space.  If Samsung continues the trend that it began with the SAFE program -- making its flagship devices KNOX devices -- then it increases the chance of KNOX's adoption through BYOD programs while other Android devices (and potentially non-Android mobile devices like the iPhone/iPad or Windows Phone) may be adopted by mobile workers in decreasing numbers.

For companies that offer cost-sharing as a part of BYOD, with employees receiving a partial reimbursement of mobile device and service costs or a monthly stipend towards the devices, apps, and carrier of their choice, KNOX may be integrated as a preferred option. Many companies provide a list of preferred devices as part of their BYOD policy. Users selecting those devices may receive better cost-sharing deals, a wider selection of employer-purchased apps, broader technical support and other incentives (including greater network access).

COPE and corporate-owned device models

BYOD may be the focus that Samsung is aiming for with its literature about KNOX, but the greatest market for KNOX is actually corporate-issued devices. Although the BYOD trend has a lot of momentum, there are a number of organizations that still prefer to issue company-owned smartphones and tablets.

In fact, the corporate-owned, personally enabled (COPE) mode,l in which employees are given a corporate-owned device, is an ideal model for KNOX.

COPE is generally seen as a modern alternative to BYOD where an employer provides the device and service (often at no cost to the employee). Although some management and security is implemented, the restrictions are kept to a minimum wherever possible and users are encouraged to use COPE devices as their personal phones or tablets. Some organizations even offer employees the chance to buy their COPE devices when they move onto other jobs.

Outside of COPE, the extreme security of KNOX allows IT and security pros to use the highly secured approaches that characterized the BlackBerry era. For regulated industries and professions that require the highest levels of confidentiality -- healthcare, finance, law, government, etc. -- KNOX will be a tremendous option. These are the markets that KNOX seems specifically designed to target and KNOX will almost certainly succeed in them because there is really no other viable platform that offers that level of security.

There is also potential for KNOX in a variety of shared and kiosk-style deployments. Some examples of these types of deployments include flight attendants using mobile devices to handle traveler needs and requests, medical practices where patients enter health data electronically, wait staff taking orders in restaurants, mobile POS systems, electronic brochures and ordering systems for sales staff, and info-tainment solutions provided to travelers at boutique hotels. In all of those situations, the most locked down and pre-configured device is the ideal option and the presents Samsung with a huge number of opportunities.

In the end, KNOX is a game changer

Ultimately, the introduction of KNOX is a game changer for enterprise mobility. It fills a void in the market of highly secure device options that has developed as BlackBerry has foundered over the past few years. It also meets the critical need for a secure separation between sensitive business data and business-related apps and personal apps and content. It gives the advantages of a two device strategy seen in some circles like government where users still carry a highly managed work device (often a BlackBerry) and a more modern and usable personal device in a single package.

Of course, Samsung is far from being the only company that addresses this need. Dual-persona and containerization solutions are emerging as the next wave of mobile management. BlackBerry has already shipped devices that support its BlackBerry balance feature. VMWare is actively developing its Horizon platform. And a range of mobile management vendors are working towards similar goals.

Samsung, however has an edge in this area for two reasons. First, it is the most popular smartphone maker in the world, which gives it enormous market power. Second and most important, it is implementing KNOX at a hardware and core OS level. That's something that gives KNOX much stronger security than anything that an after-market MDM product can offer. The only other company with those same advantages and potential to go tow-to-toe with an alternative to KNOX is Apple. Provided Apple digs in with an equally robust and serious enterprise security and management focus in iOS 7, KNOX may very well be the first new shot in another Apple-Samsung mobility war.

Join the discussion
Be the first to comment on this article. Our Commenting Policies